Signature Detail

HTTP: Chunk Length Overflow

This protocol anomaly triggers when an HTTP message that has a chunk length in a Transfer-Encoding; chunk request that is greater than 0x7fffffff. Apache servers 1.3 to 1.3.24 and 2.0 to 2.0.36 are vulnerable. Attackers can cause a denial of service (DoS) or execute arbitrary code on the server.

Extended Description

A buffer overflow in the HTR ISAPI extension has been reported for Microsoft IIS (Internet Information Services). This condition affects IIS 4.0, IIS 5.0 and may be effectively mitigated by disabling the extension. Exploitation of this vulnerability may result in a denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. A number of Cisco products are affected by this vulnerability, although this issue is not present in the Cisco products themselves.

Affected Products

• Cisco building_broadband_service_manager_(bbsm) 4.0.1
• Cisco building_broadband_service_manager_(bbsm) 4.2.0
• Cisco building_broadband_service_manager_(bbsm) 4.3.0
• Cisco building_broadband_service_manager_(bbsm) 4.4.0
• Cisco building_broadband_service_manager_(bbsm) 4.5.0
• Cisco building_broadband_service_manager_(bbsm) 5.0.0
• Cisco building_broadband_service_manager_(bbsm) 5.1.0
• Cisco call_manager 3.0.0
• Cisco call_manager 3.1.0
• Cisco call_manager 3.2.0
• Cisco unity_server 2.0.0
• Cisco unity_server 2.1.0
• Cisco unity_server 2.2.0
• Cisco unity_server 2.3.0
• Cisco unity_server 2.4.0
• Microsoft iis 4.0
• Microsoft iis 5.0
• Microsoft iis 5.1

References

• BugTraq: 37085
• BugTraq: 5033
• BugTraq: 4474
• CVE: CVE-2012-3544
• CVE: CVE-2013-4322
• CVE: CVE-2018-1000517
• CVE: CVE-2013-2070
• CVE: CVE-2009-0086
• CVE: CVE-2009-3672
• CVE: CVE-2002-0392
• URL: http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.6.1
• URL: https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e